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Amendment to the Claims 

This listing of claims will replace all prior versions, and listings, of claims in the application: 

Claim 1 (currently amended). A method of detecting an attack on an authentication service, said 
method comprising: 

storing data relating to a plurality of requests communicated to an authentication service 
from a plurality of user agents via a data communication networ k, said requests each including a 
password, and wherein storing the data relating to the requests comprises storing the password of 
each of the requests onlv if the request is unsuccessful: 

searching the stored data based on a query variable to identify at least one of the plurality 
of the requests communicated from at least one of the plurality of the user agents, and 

comparing the stored data associated with each of the identified request[[s]] with a 
predefined pattern characterizing an attack based on the stored password of the identified request 
to determine when the identified request indicates the characterized attack on the authentication 
servic e: and 

detecting the attack in response to determining that the identified request indicates the 
characterized attack . 

Claim 2 (original). The method of claim 1, wherein said storing the data relating to the plurality 
of the requests comprises storing one or more of the following: 

a network address from which one of the plurality of the requests is communicated; a 
credential type of the one of the plurality of the requests; a user account associated with the one 
of the plurality of the requests; a status of the one of the plurality of the requests; a time stamp 
indicating a date and time of the one of the plurality of the requests; a type of interface from 
which the one of the plurality of the requests is communicated; and the user agent from which 
the one of the plurality of the requests is communicated. 

Claim 3 (original). The method of claim 2, wherein said status of the one of the plurality of the 
requests comprises one of more of the following: the one of the plurality of the requests is 
successfiil; the one of the plurality of the requests is unsuccessfiil; and the user account 
associated with the one of the plurality of the requests has been locked. 
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Claim 4 (canceled). 

Claim 5 (original). The method of claim 1, wherein said comparing the stored data associated 
with each of the identified requests with the predefined pattern comprises comparing the stored 
data with a pattern characterized by one or more of the following: using a single password to 
unsuccessfully attempt at least a predetermined quantity of requests on multiple user accounts 
within a predefined time interval; using the single password to unsuccessfiiUy attempt at least the 
predetermined quantity of the requests fi-om a single network address on the multiple user 
accounts within the predefined time interval; and unsuccessfully attempting at least the 
predetermined quantity of the requests from the single network address within the predefined 
time interval. 

Claim 6 (original). The method of claim 1, wherein said comparing the stored data associated 
with each of the identified requests with the predefined pattern comprises comparing the stored 
data with a pattern characterized by one or more of the following: using multiple passwords to 
unsuccessfully attempt at least a predetermined quantity of requests on a single user account 
within a predefined time interval; using the multiple passwords to unsuccessfully attempt at least 
the predetermined quantity of the requests fi-om a single network address on the single user 
account within the predefined time interval; and unsuccessfiiUy attempting at least the 
predetermined quantity of the requests on the single user account within the predefined time 
interval. 

Claim 7 (original). The method of claim 1, wherein said comparing the stored data associated 
with each of the identified requests with the predefined pattern comprises comparing the stored 
data with a pattern characterized by one or more of the following: a single password to 
unsuccessfully attempt at least a predetermined quantity of requests fi-om multiple network 
addresses on a single user account within a predefined time interval; and unsuccessfully 
attempting at least the predetermined quantity of the requests fi-om the multiple network 
addresses on the single user account. 
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Claim 8 (currently amended). The method of claim 1, further comprising generating a report if4t 
is determined that one or more of the identified requests indicate the charact e riz e d attack in 
response to detecting the attack , said report providing information regarding the attack for use in 

defending against the attack. 

Claim 9 (currently amended). The method of claim 1, further comprising remedying the attack if 
it is dotorminod in response to detecting the attack that one or more of the identified requests 
indicate the characterized attack . 

Claim 10 (original). The method of claim 1, wherein said remedying the attack comprises 
performing one or more of the following: locking a user account associated with one of the 
plurality of the requests; blocking a network address from which the one of the plurality of the 
requests is communicated; implementing a human interaction proof on the authentication service; 
prompting a user to change a password associated with the user account; and limiting a quantity 
of allowed unsuccessfiil requests to a predetermined quantity within a predefined time interval 
for the network address from which the one of the plurality of the requests is communicated. 

Claim 1 1 (original). The method of claim 1, wherein the plurality of the requests comprises one 
or more of the following types of requests: authentication, registration, and password-reset; 
wherein one of the plurality of the requests is communicated via a human interaction proof; and 
wherein said storing the data relating to the plurality of the requests comprises storing one or 
more of the following: a network address from which the one of the plurality of the requests is 
communicated, a process where the human interaction proof is implemented, a time stamp 
indicating a date and time of the one of the plurality of the requests, and the user agent from 
which the one of the plurality of the requests is communicated. 

Claim 12 (original). The method of claim 11, wherein said comparing the stored data associated 
with each of the identified requests with the predefined pattern comprises comparing the stored 
data with a pattern characterized by one or more of the following: using multiple test strings to 
unsuccessfully attempt at least a predetermined quantity of requests on a single human 
interaction proof string within a predefined time interval; and using a single test string to 
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unsuccessfully attempt at least the predetermined quantity of the requests on multiple human 
interaction proof strings within the predefined time interval. 

Claim 13 (original). The method of claim 1, wherein said comparing the stored data associated 
with each of the identified requests with a predefined pattern comprises: 

comparing historical data relating to the authentication service with the stored data, and 

in response to said comparing, determining if the stored data deviates from the historical 
data to determine if the attack on the authentication service has occurred. 

Claim 14 (currently amended). The method of claim 1, wherein said searching the stored data to 
identify at least one of the plurality of the requests comprises searching the stored data to 
generate a result set based on one or more of the following query variables: a network address 
that communicates [[an]] a request, a quantity of user accounts for which access has been 
attempted, a password associated with a failed request, a quantity of failed requests for one or 
more user accounts, a quantity of requests for one or more user accounts, and a time interval 
during which one or more requests are communicated; wherein the result set identifies the stored 
data relating to one or more requests that correspond to the query variables. 

Claim 15 (currently amended). The method of claim 1, wherein one or more computer-readable 
storage media have computer-executable instructions for performing the method recited in claim 
1. 

Claim 16 (currently amended). A system of detecting an attack on an authentication service, said 
system comprising: 

a first memory area to store data relating to a plurality of requests communicated to an 
authentication service from a plurality of user agents via a data communication network, said 

data being stored in the first memory area as a log of the authentication service , wherein each of 
the requests communicated to the authentication service includes a password and wherein the 
stored data contains the password of each of the requests only if the request is unsuccessful ; 

a second memory area to store a predefined pattern of one or more requests, said 
predefined pattern characterizing an attack on the authentication service; and 
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a processor configured to execute computer-executable instructions to: 

search the stored data as a function of a query variable to identify at least one of the 
plurality of the requests communicated from at least one of the plurality of the user agents, 

compare the stored data associated with each of the identified requests with the 
predefined pattern, and 

determine whether the identified request indicates the attack characterized by the 
predefined patter n, and 

detect the attack in response to determining that the identified request indicates the attack 
characterized by the predefined pattern . 

Claim 17 (original). The system of claim 16, wherein the stored data comprises one or more of 
the following: a network address from which one of the plurality of the requests is 
communicated; a credential type of the one of the plurality of the requests; a user account 
associated with the one of the plurality of the requests; a failed password associated with the one 
of the plurality of the requests; a status of the one of the plurality of the requests; a time stamp 
indicating a date and time of the one of the plurality of the requests; a type of interface fi-om 
which the one of the plurality of the requests is communicated; and the user agent from which 
the one of the plurality of the requests is communicated. 

Claim 18 (original). The system of claim 16, wherein said predefined pattern is characterized by 
one or more of the following: using a single password to unsuccessfully attempt a quantity of 
requests on multiple user accounts within a predefined time interval; using the single password to 
unsuccessfully attempt the quantity of the requests from a single network address on the multiple 

user accounts within the predefined time interval; and unsuccessfully attempting the quantity of 
the requests from the single network address within the predefined time interval. 

Claim 19 (original). The system of claim 16, wherein said predefined pattern is characterized by 
one or more of the following: using multiple passwords to unsuccessfully attempt a quantity of 
requests on a single user account within a predefined time interval; using the multiple passwords 
to unsuccessfully attempt the quantity of the requests from a single network address on the single 
user account within the predefined time interval; unsuccessfully attempting the quantity of the 
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requests on the single user account within the predefined time interval; using a single password 
to unsuccessfully attempt a quantity of requests from multiple network addresses on a single user 
account within a predefined time interval; and using the muhiple network addresses to 
unsuccessfully attempt the quantity of the requests on the single user account. 

Claim 20 (currently amended). The system of claim 16, wherein the processor is configured to 
search the stored data to identify at least one of the plurality of the requests by generating a result 
set based on one or more of the following query variables: a network address that communicates 
[[an]] a request, a quantity of user accounts for which access has been attempted, a password 
associated with a failed request, a quantity of failed requests for one or more user accounts, a 
quantity of requests for one or more user accounts, and a time interval during which one or more 
requests are communicated; wherein the result set identifies the stored data relating to one or 
more requests that correspond to the query variables. 

Claim 21 (currently amended). The system of claim 16, wherein the processor is fiirther 
configured to generate a report if it is dotorminod in response to detecting the attack t hat one or 

more of the identified requests indicate the attack characterized by the predefined pattern , said 
report providing information regarding the characterized attack for use in defending against the 
attack. 

Claim 22 (currently amended). The system of claim 16, wherein the processor is fiirther 
configured to remedy the characterized attack if it is d e t e rmin e d in response to detecting the 
attack that on e or more of th e id e ntifi e d r e qu e sts indicat e th e charact e riz e d attack . 

Claim 23 (original). The system of claim 16, wherein the plurality of the requests comprises one 
or more of the following types of requests: authentication, registration, and password-reset; 
wherein one of the plurality of the requests is communicated via a human interaction proof; and 
wherein the stored data comprises one or more of the following: a network address from which 
the one of the plurality of the requests is communicated, a process where the human interaction 
proof is implemented, a time stamp indicating a date and time of the one of the plurality of the 
requests, and the user agent from which the one of the plurality of the requests is communicated. 
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Claim 24 (original). The system of claim 23, wherein said predefined pattem is characterized by 
one or more of the following: using multiple test strings to unsuccessfully attempt a quantity of 
requests on a single human interaction proof string within a predefined time interval; and using a 
single test string to attempt unsuccessfully the quantity of the requests on multiple human 
interaction proof strings within the predefined time interval. 

Claim 25 (canceled). 

Claim 26 (currently amended). A user authentication system , said system receiving a plurality of 
authentication requests communicated from a plurality of user agents, each of said requests 
including a password associated therewith, said system comprising: 

a first memory area to store data relating to a plurality of unsuccessful requests 
communicated fi-om [[a]] tiie plurality of user agents , wherein the stored data includes the 
password of each of the unsuccessful requests communicated from the plurality of user agents 
and does not include the password of any successful requests : 

a second memory area to store a predefined pattern of one or more requests, said 
predefined pattem characterizing an attack based on the password of each of the one or more 
requests : and 



a processor configured to execute computer-executable instructions to: 
search the stored data based on a query variable to generate a result set that identifies at 
least one of the plurality of the requests communicated from at least one of the plurality of the 

user agents, and 

compare each of the identified requests with the predefined pattem to determine if the 
characterized attack has occurre d, and 

detect the attack in response to determining that the characterized attack has occurred . 

Claim 27 (original). The system of claim 26, wherein the stored data comprises one or more of 
the following: a network address from which one of the plurality of the requests is 
communicated; a credential type of the one of the plurality of the requests; a user account 
associated with the one of the plurality of the requests; a failed password associated with the one 
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of the plurality of the requests; a status of the one of the plurality of the requests; a time stamp 
indicating a date and time of the one of the plurality of the requests; a type of interface from 
which the one of the pluraHty of the requests is communicated; and a user agent from which the 
one of the plurality of the requests is communicated. 

Claim 28 (original). The system of claim 26, wherein said predefined pattem is characterized by 
one or more of the following: using a single password to unsuccessfiiUy attempt at least a 
predetermined quantity of requests on multiple user accounts within a predefined time interval; 
using the single password to unsuccessfully attempt at least the predetermined quantity of the 
requests from a single network address on the multiple user accounts within the predefined time 
interval; and unsuccessfully attempting at least the predetermined quantity of the requests from 
the single network address within the predefined time interval. 

Claim 29 (currently amended). The system of claim 26, wherein the processor is further 
configured to generate a report if the charactorizod attack is dotorminod to have occurred in 
response to detecting the attack , said report providing information regarding the characterized 
attack for use in defending against the attack. 

Claim 30 (original). The system of claim 26, wherein the processor is further configured to 
remedy the characterized attack if the characterized attack is determined to have occurred. 

Claim 3 1 (original). The system of claim 26, wherein the plurality of the requests comprises one 
or more of the following types of requests: authentication, registration, and password-reset; 
wherein one of the plurality of the requests is communicated via a human interaction proof; and 
wherein said predefined pattem is characterized by one or more of the following: using multiple 
test strings to unsuccessfully attempt at least a predetermined quantity of requests on a single 
human interaction proof string within a predefined time interval, and using a single test string to 
unsuccessfiiUy attempt at least the predetermined quantity of the requests on multiple human 
interaction proof strings within the predefined time interval. 
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Claim 32 (original). The system of claim 26, further comprising means for determining if the 
stored data associated with one or more of the plurality of the requests matches the predefined 
pattern. 

Claim 33 (currently amended). One or more computer-readable storage media having computer- 
executable components for detecting an attack on an authentication service, said authentication 
service receiving a plurality of authentication requests communicated from a plurality of user 
agents via a data communication network, each of said requests including a password associated 
therewith, said computer-readable media comprising: 

a memory component to store data relating to a plurality of unsuccessful requests 
communicated to [[an]] the authentication service from [[a]] the plurality of user agents , wherein 
the stored data includes the password of each of the unsuccessful requests communicated to the 
authentication service and does not include the password of any successful requests via a data 
communication n e twork , 

a query component to search the stored data as a function of a query variable to identify 
at least one of the plurality of the requests communicated from at least one of the plurality of the 
user agents, and 

an analyzing component to compare the stored data associated with each of the identified 
requests with a predefined pattern characterizing an attack based on the password of each of the 
identified requests to determine when the identified request indicates the characterized attack on 
the authentication service and to detect the attack on the authentication service in response to 
determining that the identified request indicates the characterized attack . 

Claim 34 (currently amended). The computer-readable storage media of claim 33, wherein the 
stored data comprises one or more of the following information: a network address from which 
one of the plurality of the requests is communicated; a credential type of the one of the plurality 
of the requests; a user account associated with the one of the plurality of the requests; a failed 
password associated with the one of the plurality of the requests; a status of the one of the 
plurality of the requests; a time stamp indicating a date and time of the one of the plurality of the 
requests; a type of interface from which the one of the plurality of the requests is communicated; 
and the user agent from which the one of the plurality of the requests is communicated. 
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Claim 35 (currently amended). The computer-readable storage media of claim 33, wherein said 
predefined pattern is characterized by one or more of the following: using a single password to 
unsuccessfully attempt a quantity of requests on multiple user accounts within a predefined time 
interval; using the single password to unsuccessfully attempt the quantity of the requests from a 
single network address on the multiple user accounts within the predefined time interval; and 
unsuccessfully attempting the quantity of the requests from the single network address within the 
predefined time interval. 

Claim 36 (currently amended). The computer-readable storage media of claim 33, further 
comprising a report component to generate a report if it is dotorminod in response to detecting 
the attack that one or more of the idontifiod roquosts indicate tho charactorizod attack , said report 
providing information regarding the attack for use in defending against the attack. 

Claim 37 (currently amended). The computer-readable storage media of claim 33, further 
comprising a defense component to remedy the characterized attack if it is dotorminod m 

charact e riz e d attack . 

Claim 38 (currently amended). The computer-readable storage media of claim 37, wherein said 
defense component is adapted to remedy the characterized attack by performing one or more of 
the following in response to detecting the attack : locking a user account associated with one of 
the plurality of the requests; blocking a network address from which the one of the plurality of 
the requests is communicated; implementing a human interaction proof on the authentication 
service; prompting a user to change a password associated with the user account; and limiting a 
quantity of allowed unsuccessful requests to a predetermined quantity within a predefined time 
interval for the network address from which the one of the plurality of the requests is 
communicated. 

Claim 39 (currently amended). The computer-readable storage media of claim 33, wherein the 
plurality of the requests comprises one or more of the following types of requests: authentication. 
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registration, and password-reset; wherein one of the plurality of the requests is communicated via 
a human interaction proof; and wherein said predefined pattern is characterized by one or more 
of the following: using multiple test strings to unsuccessfully attempt a quantity of requests on a 
single human interaction proof string within a predefined time interval, and using a single test 
string to unsuccessfully attempt the quantity of the requests on multiple human interaction proof 
strings within the predefined time interval. 

Claim 40 (currently amended). The computer-readable storage media of claim 33, wherein the 
query component is adapted to search the stored data to identify at least one of the plurality of 
the requests by generating a resuh set based on one or more of the following query variables: a 
network address that communicates [[an]] a request, a quantity of user accounts for which access 
has been attempted, a password associated with a failed request, a quantity of failed requests for 
one or more user accounts, a quantity of requests for one or more user accounts, and a time 
interval during which one or more requests are communicated; and wherein the result set 
identifies the stored data relating to one or more requests that match the query variables. 



